[00:01.060 --> 00:06.100]  Hey and welcome to Keystone of the Kingdom. This is a talk on targeting best SFIC locks
[00:06.100 --> 00:12.420]  and you'll know in a second about what that is, just in case you don't. This is a talk being
[00:12.420 --> 00:18.280]  given to DEF CON 28's Lockpicking Village. Unfortunately we have COVID going on in the
[00:18.280 --> 00:21.960]  world and we are not going to be able to meet in person, so I would encourage you to reach out to
[00:21.960 --> 00:27.380]  me on Twitter, reach out to me on Discord inside of the DEF CON channel, and I'd love to have your
[00:27.380 --> 00:32.500]  thoughts, your opinions, any questions you have, send them my way, happy to discuss.
[00:34.280 --> 00:39.600]  Who am I? My name is Austin Mark. I'm a security enthusiast first and foremost.
[00:40.100 --> 00:48.520]  I have been doing pen testing for a number of years for a small to mid-market tax consulting
[00:48.520 --> 00:55.200]  and audit firm called RSM and doing red team assessments where we regularly run into best SFIC
[00:55.200 --> 01:01.400]  locks, we see them in the field. On the right hand side you also have my Hack the Box profile,
[01:01.400 --> 01:06.880]  Twitter, website, feel free to reach out to me on any of those. And you have a disclaimer,
[01:06.880 --> 01:12.680]  I am not a locksmith, so my thoughts, opinions on how to secure locks probably should only be taken
[01:13.880 --> 01:20.800]  as an attacker, things that I think work, but really remediating these issues or operating
[01:20.800 --> 01:25.120]  your locks is something that's best sent to a locksmith who can give you better advice than I
[01:25.120 --> 01:30.660]  can. And on the left hand side you have a photo of me at IKEA. I don't believe I ever got that mirror,
[01:30.660 --> 01:35.480]  which is unfortunate, but as I was flipping through photos trying to find something that
[01:35.480 --> 01:38.380]  I thought was appropriate for this talk, this was the one that stood out to me.
[01:39.460 --> 01:46.360]  All right, so this is Anthology, this is a collection of talks that I'm giving at DEF CON
[01:46.360 --> 01:52.180]  and hopefully years to come, other conferences. This is just how I organize my talks, it's all
[01:52.180 --> 01:56.920]  under this Anthology brand. Left hand side you've got this little picture of an ant,
[01:56.920 --> 02:01.580]  it's kind of like a circuit board, that's just my little Anthology symbol.
[02:02.980 --> 02:07.220]  While parts of this lab should be done with locks and keys in hand,
[02:07.220 --> 02:10.800]  I'd really prefer this to be a hands-on talk, we're going to deal with COVID and we're going
[02:10.800 --> 02:15.460]  to have some parts of this be a web-based CTF where you can at least learn a little bit about
[02:15.460 --> 02:23.260]  FastTaskFix. When we get done with the talk, I will open up the CTF and anybody who'd like to
[02:23.260 --> 02:29.900]  can join in, chase down some flags, there will be a prize for whomever wins, so feel free to
[02:29.900 --> 02:34.180]  reach out if you believe that you're the winner and I think we'll wrap this up 24 hours after the
[02:34.180 --> 02:40.720]  talk. Down at the bottom you have some logins, you have a ctflogin at pctf.ant.red, that is
[02:41.440 --> 02:45.780]  a CTFD instance that has some challenges, I think there's something like 10 challenges,
[02:45.780 --> 02:48.960]  just kind of shooting the gambit across different parts of targeting a BestSFix
[02:48.960 --> 02:54.820]  system. You also have course materials that just links out to a github page, you can pull down
[02:54.820 --> 03:01.020]  some pdfs and some further learning resources if you're interested in BestSFix. And then you've
[03:01.020 --> 03:06.500]  got a KeystoneWeb instance, you'll learn a little bit more in a second about what KeystoneWeb is,
[03:06.500 --> 03:12.780]  but there it is out at ksw.ant.red. And down at the bottom you have a login for that.
[03:13.520 --> 03:18.520]  All right, so let's jump into the agenda. So here's what we're going to try to cover. What
[03:18.520 --> 03:26.840]  are SFIX? What are key marks? It's kind of in the name, it's the marks on the BestSFix keys.
[03:27.080 --> 03:31.560]  Where are SFIX? So where are you going to find them? And then what can we do once we've found
[03:31.560 --> 03:39.080]  them? So first and foremost, what is an SFIC? SFIC stands for Small Format Interchangeable Core.
[03:39.280 --> 03:44.580]  Let's see... yep, you guys can see it there. They're a way for businesses to change which
[03:44.580 --> 03:49.240]  key goes to which door quickly. They can also provide a means of access control. So
[03:49.880 --> 03:54.380]  Sally shouldn't be able to go into Jim's room, but the janitor should probably be able to go
[03:54.380 --> 03:59.480]  everywhere, right? So that janitor needs to be able to get access to both of their rooms. So
[03:59.480 --> 04:08.820]  to be able to do that, you have a master key that will open both doors. So to that end, these pins
[04:08.820 --> 04:14.000]  that go inside of these locks are considered mastered keyed. There's a number of different
[04:14.000 --> 04:21.220]  segments and you'll see in a second what those kind of look like. Moving on from that, where
[04:21.220 --> 04:28.100]  are we going to find SFIX? SFIX are in schools, office buildings, hotels, and very large businesses.
[04:28.100 --> 04:34.680]  So you'll see them very regularly. I remember when I gave this talk or a talk similar to this
[04:34.680 --> 04:39.400]  last year at DEF CON, I noticed a ton of SFIX all around me. It's kind of one of those things where
[04:40.160 --> 04:45.320]  you get a new car and all of a sudden everybody's driving your car, right? So this is kind of the
[04:45.320 --> 04:49.700]  same thing. You figure out that you have an interest in SFIX and everybody suddenly has an
[04:49.700 --> 04:57.440]  SFIX and it's always something to look at, right? So what are key marks? Key marks are exactly what
[04:57.440 --> 05:05.220]  they sound like. It's simply a stamp that is put on a key for tracking. Should help you know if a
[05:05.220 --> 05:14.240]  key goes to a door. And it'll also help you track who has access to what. So what can we do once we
[05:14.240 --> 05:19.000]  know that there's an SFIX that is part of this environment that we're targeting? We could
[05:19.000 --> 05:23.520]  potentially pick it. We can potentially duplicate some of those keys if we're able to get access to
[05:24.080 --> 05:28.860]  We're able to move laterally with those keys because they are part of the system. So if you
[05:28.860 --> 05:34.180]  know where you are within a system, you can potentially move from one door to another.
[05:34.340 --> 05:39.260]  And that all gets kind of done by doing what is called system decoding. And we'll walk through
[05:39.260 --> 05:48.630]  some of what that is and how we do that. All right, so we'll talk a little more about what
[05:48.630 --> 05:54.810]  these SFIX really are. So an SFIX, as it would be installed, is on the left-hand side. You can see
[05:54.810 --> 06:00.690]  on the front, you've got a core mark of what appears to be PG7. And it says best. So you
[06:00.690 --> 06:05.650]  definitely know you're dealing with a best SFIX rather than another manufacturer's SFIX. For this
[06:05.650 --> 06:11.230]  talk, we will be specifically talking about best A2 system SFIX, which is the most common. These
[06:11.230 --> 06:19.070]  are the ones that I see the most often in the field. This is a door that would only be openable
[06:19.070 --> 06:29.030]  by the PG7 key or another master key or key that is mastered to the PG7 core mark. So if I were to
[06:29.030 --> 06:35.170]  get a key at an elevated part of the hierarchy, I could also operationally open this door.
[06:35.730 --> 06:41.510]  You also have a control key. Control keys can open any door in a system, and they're particularly
[06:41.510 --> 06:45.390]  sensitive. And we'll talk a little bit about how to get access to those in a little bit.
[06:45.950 --> 06:52.890]  So on the inside of an SFIX, this one has been fully gutted. So you don't really have any pins
[06:52.890 --> 06:59.170]  in here, but it helps us kind of walk through what the different items are. There is a cap that
[06:59.170 --> 07:06.670]  typically goes in the top. You have an operating shear line that will allow this to turn freely,
[07:06.670 --> 07:19.410]  which would move these throw pins and unlock a door. Or if the control pins are set in such a
[07:19.410 --> 07:26.730]  way that the control lug would turn, this would allow the core to then rotate and pull in the
[07:27.130 --> 07:34.030]  control lug, which would allow you to remove the core from the door. So that is the parts and pieces
[07:34.030 --> 07:39.370]  of an SFIX core. We'll have a kind of exploded picture after this that should help explain that
[07:39.510 --> 07:45.950]  a little further. And really the goal of this slide is to make sure you're familiar with the
[07:45.950 --> 07:51.810]  control lug, which allows this to be placed in a door, secured to a door, and then operated with
[07:51.810 --> 07:59.090]  operating keys. All right, so IC cores. These are interchangeable cores. On the left-hand side,
[07:59.090 --> 08:04.690]  you have a standard housing that will typically hold one of these cores. It's not exclusively
[08:04.690 --> 08:13.230]  these indoor cores. You might actually have a padlock, much like this one. So you could
[08:13.230 --> 08:18.010]  potentially gain access to one of these. And when we start talking about removing cores and walking
[08:18.010 --> 08:23.830]  off with something and gaining access to the full system because you have something in hand,
[08:24.350 --> 08:29.990]  a padlock like this is particularly useful. And then on the right-hand side, you have an
[08:29.990 --> 08:37.350]  exploded version where you can see the key, the plug, the bottom pins, the cylinder cover,
[08:37.350 --> 08:42.570]  cylinder itself, all of the segments we talked about. So that's part of that master keying.
[08:42.570 --> 08:51.110]  And then your springs and your top pins that you will be bumping out
[08:52.410 --> 09:00.760]  if you're going to get one of these locks. All right, moving on, let's talk about S-stick keys.
[09:00.760 --> 09:10.300]  So these are S-stick keys like this. And you can kind of see on the front there a key mark.
[09:10.300 --> 09:17.920]  So on our screenshot, it's BA1. And on the one in hand, it is SR1. On the key in hand,
[09:17.920 --> 09:25.660]  we also have a keyway marking that is H, if you can see that, I hope. And then there's also
[09:25.660 --> 09:31.100]  keyway mark A on the key in the picture. The serialization marking is particularly useful
[09:31.100 --> 09:36.560]  for tracking multiples of the same key. So let's say we had 10 of these, and I wanted to know if
[09:36.560 --> 09:42.720]  Stu lost his version of the key. I'd like to be able to know which key is missing by maybe taking
[09:42.980 --> 09:49.380]  a count of all the keys and saying, hey, serialization key is missing this specific
[09:49.380 --> 09:54.420]  serialization. Stu, what happened? I thought we trusted you with that key. All right. And then
[09:54.420 --> 10:05.480]  lastly, it's just this tip stop. So let's talk about systems. So this is the hierarchy of a
[10:05.480 --> 10:11.680]  best SFIC system. The top, you have the control. The control key will operate every key within a
[10:11.680 --> 10:19.080]  system and also allow you to remove one of these SFIC cores from the door. And if you can remove a
[10:19.080 --> 10:24.680]  core, you can decode the entire system. We'll talk a little bit about what that means and what the
[10:24.680 --> 10:30.300]  impact of that is. But if you can get a control key, you're golden. If you can get a grand master
[10:30.300 --> 10:39.160]  key, you're also golden. A grand master key will operationally turn every lock within a system. So
[10:39.160 --> 10:45.360]  if you can grab a grand master key, you can open up any door within that system. So
[10:46.700 --> 10:53.220]  typically, you'll see GM written on a key that is a grand master key. So if you can find a key
[10:53.220 --> 11:01.060]  on a lanyard or sitting on a desk that says GM, that might be one to take a picture of or
[11:01.060 --> 11:06.860]  borrow for a moment or what have you. Typically, if there's different systems within, there might
[11:06.860 --> 11:13.340]  be a master of system A, master of system B, and those are just submasters. So those many times
[11:13.340 --> 11:19.160]  you'll see written as MA, MB, MC, MD. It's not a hard and fast rule. It doesn't have to be true.
[11:19.160 --> 11:25.660]  It's just kind of a general thing that has been observed over the years. Operating keys,
[11:25.660 --> 11:30.680]  as we've discussed, these are keys that you typically give an authorized user to access
[11:30.680 --> 11:36.200]  their office or their door or the server room or some other sensitive area. I've been told by a
[11:36.200 --> 11:40.940]  number of college students that they see these operating keys, they're giving them as part of
[11:40.940 --> 11:48.460]  their dorms. So maybe they have the operating key to their door and a submaster belongs to
[11:50.220 --> 11:59.400]  whoever runs that part of the dormitory. A CA, I think they call it. All right, so moving on.
[12:00.320 --> 12:08.000]  Keyways. So let's talk a little bit about keyways. The best SFIC keyways are a part of their
[12:08.000 --> 12:15.560]  control system. The keyways are intended to increase the complexity of an attack against
[12:15.560 --> 12:26.340]  best SFICs. So if I were to hold up this best SFIC that has what I believe to be a H keyway
[12:26.340 --> 12:34.900]  and I were to pop that key in there, he works no problem. So he fits in there no issue whatsoever.
[12:35.000 --> 12:44.420]  And then if I were to hold these two best SFIC keys together, you should see they're very different
[12:46.660 --> 12:54.060]  cuts. So unfortunately, even though this is a completely empty keyway, I'm not going to be
[12:54.060 --> 13:02.420]  able to fit that in there. And that's just a function of a control of the best SFIC family.
[13:02.440 --> 13:06.760]  So in the middle, you can see a chart of all the different keyways that best offers on their
[13:06.760 --> 13:16.640]  standard non-core max, non-overly complicated best cores. Again, this specific talk is just
[13:16.640 --> 13:20.800]  going to be about best SFICs inside of the A2 system because these are the most common ones
[13:20.800 --> 13:26.580]  that I see. There are also multi-keyway keys. So this is kind of exciting. So if you take a look
[13:26.580 --> 13:36.740]  at the WA, WB, WC items on your chart, you'll see that those keyways are kind of similar. So you
[13:36.740 --> 13:43.420]  could potentially have a single key that works for all three. And this just adds additional complexity
[13:43.420 --> 13:50.460]  and mastering opportunities between different best SFIC cores. On the right-hand side,
[13:50.460 --> 14:00.480]  you can see a Falcon multiplex family set of core keyways. I think it's just a good example of
[14:00.480 --> 14:05.800]  an all-section key up at the top. And then you've got two multi-section keys that are kind of unique.
[14:06.330 --> 14:13.700]  And then it steps down into single-section keys and then another keyway that would potentially
[14:13.700 --> 14:23.640]  open for any key. So the E-keyway is potentially openable by all the other ones above it.
[14:23.740 --> 14:33.520]  All right, so moving on. Let's talk about lateral movement. This item here on the right
[14:33.520 --> 14:37.660]  is straight from a codebook. A codebook is something a locksmith uses to track
[14:37.940 --> 14:46.640]  what the key codes are for a key. If you hold this key up for you, you can see the bidding.
[14:46.700 --> 14:51.860]  That bidding directly relates to the key code. So if you can get a key code, you can cut a key.
[14:52.520 --> 14:59.840]  Up at the top, you have SMBA. So that's a submaster for the BA system. And then you
[14:59.840 --> 15:08.060]  have a couple other keys that are part of the BA system. All right, so if you note,
[15:08.060 --> 15:13.620]  there is actually a pattern going on between the fifth and sixth columns of the key code,
[15:14.160 --> 15:21.760]  where it kind of steps up by two and then down. Or vice versa, it could be
[15:22.460 --> 15:28.600]  if you're going from the third column from the right to the column second from the right,
[15:28.600 --> 15:35.300]  you're going down and then up, up, up, and you're cycling every four by two.
[15:36.060 --> 15:40.140]  So it's a lot easier for me to show you a video of what this actually looks like,
[15:40.140 --> 15:43.380]  because it looks a little complicated here, but there is definitely a pattern
[15:44.040 --> 15:54.740]  that you can abuse. So potentially, you can move laterally. All right, so we talked a little bit
[15:54.740 --> 16:01.180]  about the keys themselves and kind of the key codes and what they mean. Let's talk about what
[16:01.180 --> 16:05.320]  happens if you get a key in hand. If you can get a key in your hand, you could use a key decoder,
[16:05.320 --> 16:12.920]  and you could quickly discern the bidding and recreate those keys or at least get an understanding
[16:12.920 --> 16:19.020]  for where that key goes within a system. And then you could also use calipers. So calipers,
[16:19.020 --> 16:23.860]  probably not these little tiny measuring calipers on the right-hand side that attach to a keychain,
[16:24.660 --> 16:32.440]  but calipers will measure your pins or your bidding on a key, and you can use that to recreate
[16:33.120 --> 16:38.880]  either a core or the key itself. So if you can get a key or core in hand,
[16:38.880 --> 16:45.580]  you can definitely duplicate it then. All right, key in photo, you could use one of
[16:45.580 --> 16:50.620]  these decoding charts. These are provided by DeviantOLM. I find these ones very useful.
[16:51.760 --> 16:55.380]  Their usefulness depends on the quality of the photo that you take, of course.
[16:55.480 --> 16:59.840]  If you have a photo that's kind of jostled or shot from across the room, it might be a little
[16:59.840 --> 17:06.280]  more difficult to actually make that photo work for you. But with some Photoshop magic,
[17:06.280 --> 17:12.520]  you might be in luck. There's also an app called SnapDecoder. I have had mixed results with this
[17:12.520 --> 17:19.380]  app. Honestly, I haven't gotten much usage out of it, but I figured I'd share it. This app promises
[17:19.380 --> 17:26.720]  to be able to discern the bidding of a key by holding it up to the app. So in an ideal world,
[17:26.720 --> 17:30.720]  you would be able to take this app, and maybe in a future update or maybe an update that I haven't
[17:30.720 --> 17:36.160]  seen, you'd be able to point this app at a key, tell it it's a best SVIC key, and it will tell
[17:36.160 --> 17:41.460]  you the bidding. And then you could go off-site, recreate that key, and start opening doors right
[17:41.460 --> 17:47.480]  then and there. So these are two ways that you could take a key and a photo using a decoding
[17:47.480 --> 17:53.060]  chart or an app, and start to understand what the bidding is for that key, and potentially
[17:53.060 --> 17:58.300]  recreate it before handing it back to a mark or having to leave it somewhere so you're not being
[17:58.300 --> 18:03.160]  detected. All right, cool. All right, so we talked about key in hand, key in photo. What about key
[18:03.160 --> 18:10.760]  on web? So keys on websites that are Active Directory integrated. That sounds great to me
[18:10.760 --> 18:15.420]  as an attacker. As a red teamer, I'm always targeting Active Directory. That's something
[18:15.420 --> 18:22.440]  we're always looking for, is a way to move laterally within AD. Keystone Web is an Active
[18:22.440 --> 18:29.700]  Directory-managed and Active Directory-joined website where you can... their phrase is,
[18:29.700 --> 18:35.080]  it will help the user manage keys and core records for multiple personnel throughout
[18:35.080 --> 18:40.160]  various locations. This product allows for importing and appending data, mass deletes
[18:40.160 --> 18:48.880]  for employees, key and door key data, and an activity log that tracks user transactions. So
[18:48.880 --> 18:55.380]  if we add a new employee, maybe he gets a new key to his door. If I have access to this website,
[18:55.380 --> 19:00.220]  I know exactly what that key is. And then I also know the master key, right? So if I look on the
[19:00.220 --> 19:07.640]  right-hand side here, we see the master key code is 8301836. If I recreate a key with that code,
[19:07.640 --> 19:15.280]  I can now open every door within that system. And then you also see the control key bidding.
[19:15.280 --> 19:22.420]  So that one was 4189250. That's particularly useful because that tells me that I can now
[19:22.420 --> 19:25.920]  start removing some of these cores from the system if I want to and adding my own
[19:26.700 --> 19:30.940]  for potential denial of service, of course, but there may be more interesting things that you can
[19:30.940 --> 19:35.840]  do by swapping out a core. You might be able to start decoding the system if you don't have access
[19:35.840 --> 19:42.380]  to something as powerful as Keystone Web. We can also see up at the top the system type, which is
[19:42.380 --> 19:48.860]  an A2 system. I know we spoke about specifically best SFIC A2 systems, and that's what we would be
[19:48.860 --> 19:56.600]  targeting. We see the keyway for this system, so this is an A keyway system. And we see it's a 7-pin
[19:56.600 --> 20:01.040]  system, so we know that we're going to be working with 7-pin locks. The majority of the best SFIC
[20:01.040 --> 20:06.440]  systems I see are 7-pin systems. And part of what makes them difficult to pick is the fact
[20:06.440 --> 20:12.980]  that they're 7-pins, but then also they have master keying. And because they have master keying,
[20:12.980 --> 20:19.780]  it's very easy for those wafers to fall as you're picking, and it's very hard to line them up
[20:19.780 --> 20:24.500]  consistently with what would be an actual operating bidding. But we will talk a little
[20:24.500 --> 20:33.540]  bit about picking to control, and that is something you would do if the core is in the door.
[20:33.540 --> 20:38.720]  So if the core is in the door, you can pick to control with a Peterson I-core tensioning tool.
[20:38.720 --> 20:45.880]  So this is a type A tool. This is for tensioning a SFIC, and what it's doing is it's putting
[20:45.880 --> 20:53.200]  pressure on the bottom of the core inside of those holes that we saw. These same holes here,
[20:53.200 --> 20:59.360]  if you can see that. So those holes are getting tensioned by this tool, and what that does is that
[20:59.360 --> 21:06.300]  forces pressure on where the control pins would be. And because there's now pressure there,
[21:06.300 --> 21:11.800]  when you pick the lock, you have a higher likelihood of picking to control. And if you
[21:11.800 --> 21:17.900]  pick to control, you could potentially get this core out of the door, which would be great because
[21:17.900 --> 21:23.020]  now we can open that door, but we can also replace the core with a core of our choosing, or
[21:23.660 --> 21:31.880]  begin to decode the system. And we'll talk about that just after this. There is another option.
[21:31.880 --> 21:36.180]  You could do what is referred to as bitch picking. It's not my name for it,
[21:36.180 --> 21:41.100]  but that's basically jamming a pick inside of a best SFIC over and over again,
[21:41.760 --> 21:45.780]  fairly aggressively. These locks are actually fairly prone to that.
[21:45.780 --> 21:49.420]  Something to do with the way that master wafers work.
[21:50.320 --> 21:54.980]  A lot of times you'll get lucky enough to pick to control, and if you're able to do that,
[21:56.240 --> 21:59.780]  you kind of have the keys to the kingdom. You can decode every part of the system
[22:00.800 --> 22:08.000]  once a core is in your hand. Then I also have a photo of the Lishi best SFIC 2-in-1.
[22:08.140 --> 22:15.760]  This is a decoder for best SFIC locks that you can decode the operating key as you pick.
[22:15.780 --> 22:23.120]  So you put tension on the core and you're able to decode it using the chart on the right-hand side.
[22:23.440 --> 22:30.320]  They're a little spendy, so I don't carry one, but I do have a couple for non-best SFICs.
[22:30.420 --> 22:37.480]  So core in hand. Let's say we're able to get one of these cores in hand.
[22:38.200 --> 22:42.880]  What we might want to do is pull the pins out so we can actually understand how the system works
[22:42.880 --> 22:53.760]  and decode that system. So we might 3D print one of these. This is a SFIC pin extraction tool,
[22:53.760 --> 22:59.860]  or repinning tool. Redcat Imaging put this out on Thingiverse. I strongly recommend you go
[22:59.860 --> 23:05.460]  pull it down from there. A standard all-metal version of this goes for well over a hundred
[23:05.460 --> 23:12.220]  dollars everywhere that I've ever seen them, and a 3D printed version is pennies.
[23:12.880 --> 23:20.980]  And they work beautifully. So from what I've been told they're not an easy print, but if you were
[23:20.980 --> 23:25.360]  to pull one in and run it inside of a PRESA, apparently they've been fairly successful.
[23:25.440 --> 23:31.860]  I had a friend print this off for me and it works great. Essentially you're going to take your SFIC,
[23:31.860 --> 23:41.360]  pop them inside. You can hammer on it a number of different ways. Some people like to use the
[23:44.000 --> 23:50.300]  like a flag pin that you could stick in the top of one of these holes and knock the pins out of
[23:50.300 --> 23:53.960]  the bottom. So what you're going to do is you're going to pop the caps on the back here, and
[23:53.960 --> 24:00.460]  hopefully all that gets collected. Hopefully just the top caps. And then you can slowly remove the
[24:00.460 --> 24:06.980]  rest of your pins. And really what you're interested in is the top pin. So we're going to
[24:06.980 --> 24:12.120]  talk a little bit about decoding pins. All right, so we've extracted pins. We've hammered them out
[24:12.680 --> 24:17.160]  and you can see I've got them sitting inside of a little sparrows tray that I've got
[24:17.160 --> 24:23.980]  with the top pins up top. And we can begin to kind of measure those. So there's my calipers
[24:23.980 --> 24:33.620]  on the right hand side. We were able to measure them and for whatever reason this is in millimeters
[24:33.620 --> 24:39.740]  but it needs to be converted to inches for the chart that's provided by, I believe this was from
[24:39.740 --> 24:49.160]  Best. And it comes out to, for this specific pin that I was measuring, 0.07. So that 0.07 pin lines
[24:49.160 --> 24:56.800]  up with a 6b pin. So we know that that pin, that top pin is a 6b pin. So that helps us understand,
[24:56.800 --> 25:04.040]  okay, so here's our top pins. Here's what we, here's what each of these items are if we want
[25:04.040 --> 25:10.260]  to recreate this core. But where this gets really helpful and really interesting is when we start
[25:10.260 --> 25:16.420]  to decode a system using this. So this is a decoding chart. So we can fill this out with
[25:16.420 --> 25:22.360]  your top pins, your build-up pins, master pins. If there are any, of course there typically will
[25:22.360 --> 25:29.240]  be in a lock like this. And then you will subtract from 13 the measure of your top pin and that will
[25:29.240 --> 25:36.420]  give you the control key bidding. So as we discussed, a control key bidding is something you can use to
[25:36.420 --> 25:41.940]  create a control key. And if you create a control key, that can open every lock in the system. If
[25:41.940 --> 25:46.440]  you can open every lock in the system, you can go into any door in the organization that you're
[25:46.440 --> 25:52.880]  targeting. So if you can potentially gain access to, you know, a lock like this, or perhaps it's
[25:52.880 --> 26:00.360]  the core of a bathroom or something that's non-sensitive, and you're able to decode
[26:00.360 --> 26:08.340]  the control key, you can now leave, come back with that control key, and start removing
[26:08.340 --> 26:12.660]  cores to very sensitive doors that you'd like to gain access to.
[26:14.900 --> 26:21.500]  And that's it for this talk on Keystone to the Kingdom, a talk about targeting best SFIC locks.
[26:21.500 --> 26:28.940]  I would ask for a Q&A here now, but because this is COVID, we're all remote. We can't do
[26:28.940 --> 26:33.400]  that, but I would encourage you to reach out to me on Twitter, send me a DM on Discord,
[26:34.560 --> 26:38.680]  and don't be a stranger. Feel free to reach out, give me your thoughts, ask questions.
[26:38.680 --> 26:44.340]  If something wasn't clear, let me know. And I welcome it. So thank you.
